[Mailman-Users] mail list script sending out spam and crashing server big style

stephen at xemacs.org stephen at xemacs.org
Sat Oct 21 06:56:01 CEST 2006 

Heal Secretary writes:

 > My web host suspended my account because -
 > 
 > "mail list script sending out spam and crashing server big style"

As far as I can see, you did everything right that you could do.  Do
check for the SpamAssassin feature mentioned by JB at comcast.  (This
should be on by default if available!)

Given the way you present the problem, my first question is, "did
addresses other than list subscribers receive the spam?"  If people
not on your list *did* get the spam, then your host and the mailman
developers may have a *big* problem, and it doesn't involve you that I
can see.  (Except that we owe you thanks for the report!)  Please give
us more details in that case---if it could happen to you, there's a
chance it could happen to everybody.

If list members did get it, then

1.  Check to make sure that none of your members sent it (even with a
    personally approved list, this does happen, unfortunately).

2.  Recheck your configuration to make sure that it really is set so
    that only members can post to the list, etc.  Everybody makes
    mistakes; sometimes the instructions are hard to understand.  If
    you're not sure, read the FAQ and anything you still don't
    understand, ask here.

3.  You can check your archives, which will tell you the interesting
    part (where the spam came from and how it got to Mailman) as well
    as the logs can.  Get the "mbox" file containing all the messages,
    and read it with a text editor (not a mail program!).  Find a spam
    message, and look at the headers preceding it.  There will be a
    series of "Received:" headers, tracing the history of the message
    as it is processed by various parts of the Internet mail system.

    You cannot completely trust these (professional spammers will
    surely try to obscure the ultimate source), but if you don't
    understand them, you can post *the whole block of headers* here.
    NOTE: You should include *everything*, but omit any "Approved:"
    header, that may contain your administrator password.  Do tell us
    that you removed it, and whether the password was correct or not.
    (It shouldn't be there, but if it is, it's a clue.)  There may
    also be private information such as member addresses.  You should
    obscure anything that you know is personal information.  (Eg, if
    your address "secretary at healheadingly.org.uk" were in the headers
    you could change it to "member at mydomain.tld".)

4.  I don't know anything about cPanel logs, so I don't know what's
    available, but Mailman provides a wide variety of separate logs.
    The directly relevant ones are called "post" and "smtp".  Others
    that might contain clues are "error" and "vette".  These logs are
    not necessarily sufficient; you would also need access to the MTA
    logs.  IIRC, cPanel did *not* give you access to *any* of the
    above in the past, maybe they've changed in very recent versions.

    If all you can find are web logs, then (as you suspected) they're
    not related to the spam incident---they're kept separately by the
    webserver.

Finally, please be reassured.  IMO, a system crash is not your
responsibility, except in a minor contributory way.  Most of the
difficulty in designing and administering multiuser hosts is in
ensuring that one user cannot crash the system, and enormous effort
has been devoted to creating robust systems for 40 years.  This is the
designers' and administrators' responsibility, not yours.  Of course,
even with modern systems, it's not easy to provide nearly 100%
reliability.  So you should cooperate with the administrators'
requests to improve stability and security of the system, but you need
not accept blame (unless you found errors in step 1 or 2 above, and
even then, that's "minor" as I wrote above).

Also IMO, any host that offers Mailman via cPanel service or similar
is implicitly taking responsibility for spam.  Spam is best handled by
the MTA that actually talks to other hosts on the Internet, not by
services that are "behind the MTA" as Mailman is.  As Brad Knowles
often says, if spam gets caught by Mailman's filters, you've already
lost the point.  Even the more effective tools that can be configured
for use with Mailman are not part of Mailman, and so difficult or
impossible to use correctly from cPanel.  Only if you have access to
the MTA (examples are Sendmail, Postfix, or Exim) and other programs
like SpamAssassin can you really take responsibility for
spam-fighting.  Under cPanel, that's the host administrators.

If the administrators are trying to "blame" you (and a summary,
automatic suspension of service qualifies), then you should suspect
that they are not doing their jobs properly, and that you and their
other customers are at risk of similar incidents in the future.  I
don't recommend aggressively criticising your host---their customer
relations may not reflect their administrative competence---but
preparing to move to one with better customer relations and better
recommendations from current subscribers is probably a good idea.

HTH

More information about the Mailman-Users mailing list